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Superposition is an established decision procedure for a variety of first-order logic theories rep- 
resented by sets of clauses. A satisfiable theory, saturated by superposition, implicitly defines 
a minimal term-generated model for the theory. Proving universal properties with respect to a 
saturated theory directly leads to a modification of the minimal model's term-generated domain, 
as new Skolem functions are introduced. For many applications, this is not desired. 

Therefore, we propose the first superposition calculus that can explicitly represent existentially 
quantified variables and can thus compute with respect to a given domain. This calculus is sound 
and rcfutationally complete in the limit for a first-order fixed domain semantics. For saturated 
Horn theories and classes of positive formulas, we can even employ the calculus to prove properties 
of the minimal model itself, going beyond the scope of known superposition-based approaches. 

Categories and Subject Descriptors: 1.2.3 [Artificial Intelligence]: Deduction and Theorem 
Proving; F.4.1 [Mathematical Logic and Formal Languages]: Mathematical Logic 
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1. INTRODUCTION 

A formula <I> is entailed by a clause set with respect to the standard first-order 
semantics, written A |= $, if $ holds in all models of A^ over all possible domains. 
For a number of applications, this semantics is not sufficient to prove all properties 
of interest. In some cases, properties with respect to models over the fixed given 
domain of A^ are required. These models arc isomorphic to Herbrand models of 
A" over the signature T ^ i.e. models whose domains consist only of terms build 
over T. We denote this by A^ Even stronger, the validity of $ often 

needs to be considered with respect to a minimal model X^v of the clause set Af, 
written Xjq $ or alternatively A^ ^ind ^- For the sets of formulas that are 
valid with respect to these three different semantics, the following relations hold: 

{$ I N h/nd $} 3 {$ I A^ $} 3 {$ I A^ h 

The different semantics are of relevance, for example, in proving properties of 
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computer systems. Very often, such systems can be naturally modeled by first- 
order formulas over a fixed domain. Consider the simple example of a building 
with three floors, Figure 1. 

The bottom (G)round floor and the top (i?)cstaurant floor of the building are 
open to the public whereas the middle floor is occupied by a (C)ompany and only 
open to its employees. In order to support this setting, there are two elevators a and 
h in the building. Elevator a is for the employees of the company and stops on all 
three fioors whereas elevator b is for visitors of the restaurant, stopping solely on the 
ground and restaurant fioor. Initially, there is a person p in elevator a and a person 
q in elevator 6, both on the ground fioor. We model the system by three predicates 
G, C, R for the different floors, respectively, where, e.g., G{a,p) means that person 
p sits in elevator a on the ground fioor. The initial state of the system and the 
potential upward moves are modeled by the following clauses: Ne = G{a,p), 
G{b,q), G{a,x) G{a,x), G{a,x) — * R{a,x), G{b,x) — » R{b,x)}. Let us 
assume that the above predicates accept in their first argument elevators and in 
their second persons, e.g. implemented via a many-sorted discipline. 

The intended semantics of the elevator system coincides with the minimal model 
of Ne- Therefore, in order to prove properties of the system, we need to consider 
the semantics \=ind in general. Nevertheless, some structural properties are valid 
with respect to \=, for example the property that whenever a person (not necessarily 
p or q) sits on the ground fioor in elevator a or 6, they can reach the restaurant floor, 
i.e. Ne ^ \/x.{G{a, x) R{a, x))A{G{b, x) — » R{b, x)). In order to prove properties 
with respect to the specific domain of the system, we need to consider ^jr, for our 
example \={a,b.p.q}- With respect to this semantics, the state R is reachable for all 
elevators, i.e. Ne \={a,b,p,q} Vy, a;.G(?/, R{y,x). This property is not valid for 
1= as there are models of Ne with more elevators than just a and b. For example, 
there could be an elevator for the managers of the company that does not stop at 
the restaurant floor. Of course, such artificially extended models are not desired 
for analyzing the scenario. For the above elevator system, the company fioor is 
not reachable by elevator b. This can only be proven with respect to \==i„d-, i.e. 
Ne \=ind yx.-iC(b,x), but not with respect to \={a.b,p.q} nor [= because there are 
models of Ne over {a,b,p,q} where e.g. G{b,q) holds. 

In this simple example, all appearing function symbols are constants and the 
Herbrand universe is finite. Hence we could code the quantification over the Hcr- 
brand universe explicitly as Vy, x.{yKia V y~b) A (xwp V x~q) A G{y, x) R{y, x). 
A property extended in this way is valid in all models of Ne if and only if it is 
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valid in all Herbrand models of NE^ i.e. fixed domain reasoning can be reduced to 
first-order reasoning in this case. This reduction is, however, not possible when the 
Herbrand universe is infinite. 

Inductive (^/nd) and fixed-domain theorem proving are more difficult prob- 
lems than first-order (^) theorem proving: It follows from Godcls incompleteness 
theorem that inductive validity is not scmi-dccidablc, and the same holds for fixed- 
domain validity.^ For the standard first-order semantics |=, one of the most suc- 
cessful calculi is superposition [Bachmair and Ganzingcr 1994; Nieuwenhuis and 
Rubio 2001; Weidenbach 2001]. This is in particular demonstrated by superpo- 
sition instances effectively deciding many known decidable classical subclasses of 
first-order logic, e.g. the monadic class with equality [Bachmair et al. 1993] or the 
guarded fragment with equality [Ganzinger and Nivelle 1999], as well as a number 
of decidable first-order classes that have been proven decidable for the first time 
by means of the superposition calculus [Nieuwenhuis 1996; Jacquemard et al. 1998; 
Weidenbach 1999; Jacquemard et al. 2006]. Furthermore, superposition has been 
successfully applied to decision problems from the area of description logics [Hus- 
tadt et al. 2004] and data structures [Armando et al. 2009] . The key to this success 
is an inherent redundancy notion based on the tcrm-gencratcd minimal interpreta- 
tion of a clause set iV, that restricts the necessary inferences and thereby often 
enables termination. If all inferences from a clause set N are redundant (then N is 
called saturated) and N does not contain the empty clause, then Z^r is a minimal 
model of N . 

Consider the following small example, demonstrating again the differences of 
the three semantics with respect to the minimal term generated model induced 
by the superposition calculus. The clause set Nq = G{s{Q),0), G{x,y) — > 
G(s(x), s{y)) } is finitely saturated by superposition. The model 2ng iii this exam- 
ple consists of all atoms G(ti, ^2) where t2 is a term over the signature Tnat = {s, 0} 
and ti = 5(^2). So the domain of X/Vg is isomorphic to the naturals and the in- 
terpretation of G in Xatq is the "one greater than" relation. Now for the different 
entailment relations, the following holds: 

Ng h G(s(s(0)), s{0)) Ng h^„.,, G(s(s(0)), s{Oj) Ng \^ind G(,s(s(0)), s{0)) 
NG^yx.G{s{x),x) Ng h^„,t Vx.G(s(x),x) Ng h/nd Vx.G(s(x), x) 
Ng ^ yx.^Gix, x) Ng t^^„,, Vx.-G(x, x) Ng ^i„d Vx.-G(x, x) 

Superposition is a sound and refutationally complete calculus for the standard 
semantics \=. In this paper, we develop a sound and refutationally complete calculus 
for \=y^. Given a clause set N and a purely existentially quantified conjecture, 
standard superposition is also complete for \=j^. The problem arises with universally 
quantified conjectures that become existentially quantified after negation. Then, 
as soon as these existentially quantified variables are Skolemizcd, the standard 



^In fact, poano arithmetic can be encoded in a fixed-domain setting as follows: Given the signature 
.^PA = {s, 0, +, •}, let N consist of the clauses x + 0~0 and x + s{y)Kis{x + y) defining addition, 
X ■ 0~0 and x ■ s{y)Ri{x ■ y) + x defining multiplication, and s{x)^0 and s{x)^s{y) — > x^y stating 
that all numbers arc different. Then has exactly one Herbrand model over jFpA, and this 
model is isomorphic to the natural numbers. So an arithmetic formula <I> is valid over the natural 
numbers if and only if A'' \=ind ^ if and only if \=y^-pj^ "t". 
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superposition calculus applied afterwards no longer computes modulo \=j^, but 
modulo Hjryj^-^ j, where /i, . . . , /„ are the introduced Skolem functions. This 
approach is incomplete: In the example above, Nq H^nat Va;.C?(s(x), a;), but the 
ground clause G{s{c),c) does not hold in Tng, where c is the Skolem constant 
introduced for x. 

The idea behind our new calculus is not to Skolemize existentially quantified 
variables, but to treat them explicitly by the calculus. This is represented by an 
extended clause notion, containing a constraint for the existentially quantified vari- 
ables. For example, the above conjecture Va:.G(s(x), x) results after negation in the 
clause u^x \\ G{s{x), x) — > with existential variable u. In addition to standard first- 
order equational reasoning, the inference and reduction rules of the new calculus 
also take care of the constraint (see Section 3). 

A \=jr unsatisfiability proof of a constrained clause set with our calculus in general 
requires the computation of infinitely many empty clauses, i.e. we lose compactness. 
This does not come as a surprise because we have to show that an existentially 
quantified clause cannot be satisfied by a term-generated infinite domain. For 
example, proving the unsatisfiability of the set Nq U {ufnx \\ G{s{x), x) — *■} over the 
signature = {0, s} amounts to the successive derivation of the clauses u^sO || □, 
M«s(0) II □, u«s(s(0)) II □, and so on. In order to represent such an infinite set 
of empty clauses finitely, a further induction rule, based on the minimal model 
semantics \=ind, can be employed. We prove the new rule sound in Section 4 and 
show its potential. 

In general, our calculus can cope with (conjecture) formulas of the form V*3*<I> 
and does not impose special conditions on N (except saturation for \=ind), which is 
beyond any known result on superposition-based calculi proving properties of \=jr 
or \=ind [Kapur et al. 1991; Caferra and Zabel 1992; Ganzinger and Stuber 1992; 
Bouhoula 1997; Comon and Nieuwenhuis 2000; Kapur and Subramaniam 2000; 
Giesl and Kapur 2003; Peltier 2003; Falke and Kapur 2006]. This, together with 
potential extensions and directions of research, is discussed in the final Section 5. 

This article is a significantly extended version of [Horbach and Weidenbach 2008] . 

2. PRELIMINARIES 

We build on the notions of [Bachmair and Ganzinger 1994; Weidenbach 2001] and 
shortly recall here the most important concepts as well as the specific extensions 
needed for the new superposition calculus. 

Terms and Clauses 

Let be a signature, i.e. a set of function symbols of fixed arity, and X U V an 
infinite set of variables, such that X , V and J- arc disjoint and V is finite. Elements 
of X are called universal variables and denoted as x,y,z, and elements of V are 
called existential variables and denoted as u,v. We denote by T{J-,X') the set of 
all terms over J- and X' C_ X UV and by T{!F) the set of all ground terms over J- . 
For technical reasons, we assume that there is at least one ground term, i.e. that 
T contains at least one function symbol of arity 0. 

We will define equations and clauses in terms of multisets. A multiset over a set 
S" is a function AI: 5* ^ N. We use a set-like notation to describe multisets, e.g. 
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{x, X, x} denotes the multiset M where M{x) = 3 and M{y) ~ for all y x in S. 
An equation is a multiset {s, t} of two terms, usually written as s^t. A (standard 
universal) clause is a pair of multisets of equations, written F A, interpreted as 
the conjunction of all equations in the antecedent T implying the disjunction of all 
equations in the succedent A. A clause is Horn if A contains at most one equation. 
The empty clause is denoted by □. 

We denote the subterm of a term t at position p by t\p. The term that arises from 
t by replacing the subterm at position p by the term r is t[r]p. A substitution a is 
a map from a finite set X' C X U F of variables to T(^, AT), and dom((T) = X' is 
called its domain? The substitution a is identified with its homomorphic extension 
to T(J^, XXJV). The most general unifier of two terms s, i e ^(^, A) is denoted 
by mgu(s,t). 

Constrained Clauses 

A constrained clause v\K.t\^ 
sequence of equations v\K,t\^ 
that 

(1) F = {i;i,...,w„}, 

(2) Vi 7^ Wj for i ^ j , and 

(3) neither the clause C nor the terms ii, . . . ,t„ contain existential variables. 

Intuitively, constraint equations are just a different type of antecedent literals. The 
constrained clause is called ground if C and ti, . . . , t„ are ground, i.e. if it does not 
contain any non-existential variables. A constraint a = . . . ,w„~t„ induces 

a substitution V — > T[T, X) mapping Vi to t^ for all i, which we will denote by a^. 

Constrained clauses are considered equal up to renaming of non-existential vari- 
ables. For example, the constrained clauses u~x, vK.y \\ P{x) and u^y, v~x \\ P{y) 
are considered equal {x and y have been exchanged), but they are both different 
from the constrained clause uK,y, v~x \\ P{x), where u and v have been exchanged. 
We regularly omit constraint equations of the form Vi^ix, where a; is a variable, if x 
does not appear elsewhere in the constrained clause, e.g. when V = {u, v}, we write 
uKix II P{x) for uf^x, v~y \\ P{x). A constrained clause || C is called unconstrained. 
As constraints are ordered, the notion of positions lift naturally to constraints. 

Clause Orderings 

One of the strengths of superposition relies on the fact that only inferences involving 
maximal literals in a clause have to be considered, and that the conclusion of an 
inference is always smaller than the maximal premise. To state such ordering 
conditions, we extend a given ordering on terms to literal occurrences inside a 
clause, and to clauses. 

Any ordering ^ on a set S can be extended to an ordering on multisets over S 
as follows: M ^ N ii M N and whenever there is a; G 5 such that N{x) < M{x) 



^This notion of a domain is non-standard: Usually, the domain of a substitution is the set of 
all variables on which the substitution operates non-trivially. However, we want to be able to 
distinguish between substitutions like {x i— > f{x)} and {x i— > f(x); j/ ^ j/} to simplify the proofs 
in Section 4. 
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then N{y) > M{y) for some y y x. 

Considering this, any ordering -< on terms can be extended to clauses in the 
following way. We consider clauses as multisets of occurrences of equations. The 
occurrence of an equation swt in the antecedent is identified with the multiset 
{{s,t}}; the occurrence of an equation s^t in the succedent is identified with the 
multiset {{s},{i}}- Now we lift -< to equation occurrences as its twofold multiset 
extension, and to clauses as the multiset extension of this ordering on equation 
occurrences. If, for example, s ~i t -< u, then the equation occurrences in the clause 
sfvt,tf^t — > swu are ordered as s^t -< t^t -< s^u, because {{s,t}} -< {{t,t}} -< 
{{s},{u}}. Observe that an occurrence of an equation s«i in the antecedent is 
strictly bigger than an occurrence of the same equation in the succedent, because 
{{s},{t}}^{{s,t}}. 

An occurrence of an equation .s?»i is maximal in a clause C if there is no oc- 
currence of an equation in C that is strictly greater with respect to -< than the 
occurrence s^t. It is strictly maximal in C if there is no occurrence of an equation 
in C that is greater than or equal to the occurrence s^t with respect to -<. 

Moreover, we extend -< to constraints pointwise'^ by defining vi~si, . . . , w„~s,i ~< 
vi^ti, . . . , Vn~tn iff Si :<ti/\.../\Sn di tn and Si ^ tiW . . .V Sn tn- Constrained 
clauses are ordered lexicographically with priority on the constraint, i.e. a || C ^ 
l3\\DiSa -< /?, or a = f3 and C -< D. This ordering is not total on ground 
constrained clauses, e.g. the constrained clauses uwa, vK,b \\ □ and itw6, v^a \\ □ are 
incomparable, but the ordering is strong enough to support our completeness results 
and an extension of the usual notion of redundancy to constrained clauses. 

An ordering -< is well-founded if there is no infinite chain ii ^ ^2 !^ • ■ it has 
the subterm property if t[t']p >~ t' for all t,t' where t[t']p ^ t' , and it is stable 
under substitutions if i )^ t' implies ta >~ t'a for all t, t' and all substitutions a. A 
reduction ordering is a well-founded ordering that has the subterm property and is 
stable under substitutions. 

Rewrite Systems 

A binary relation on T{J-, X) is a rewrite relation if s ^ t implies u[sa] — > u[ta] 
for all terms u G T(JF, X) and all substitutions cr. By ^ we denote the symmetric 
closure of — ^, and by A (and A, respectively) we denote the reflexive and transitive 
closure of (and ^). 

A set R of equations is called a rewrite system with respect to a term ordering 
^ifs^toTt~<s for each equation s«i G R. Elements of R are called rewrite 
rules. We also write s ^ t € R instead of s«i & R ii s y t. By we denote 
the smallest rewrite relation for which s — >ij t whenever s t £ R. A term s is 
reducible by R if there is a term t such that s — >ij <, and irreducible or in normal 
form (with respect to R) otherwise. The same notions also apply to constraints 
instead of terms. 

The rewrite system R is ground if all equations in R are ground. It is terminating 
if there is no infinite chain to —>-ii ti —^n . . . , and it is confluent if for all terms 



^It is also possible to consider constraints as multisets when ordering them, or to extend the 
ordering lexicographically. While all results of this article remain valid in both cases, the latter 
approach is less natural because it relics on an ordering on the induction variables. 
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t, ii, t2 such that t ti and t t2 there is a term such that ti and 
^2 ~^*R h. 

Herbrand Interpretations 

A Herbrand interpretation over the signature ^ is a congruence on the ground 
terms T{!F), where the denotation of a term t is the equivalence class of t. 

We recall the construction of the special Herbrand interpretation Xjv derived from 
a set N of (unconstrained) clauses [Bachmair and Ganzinger 1994]. Let ^ be a well- 
founded reduction ordering that is total on ground terms. We use induction on the 
clause ordering -< to define ground rewrite systems Ec, Rc and Ic for ground 
clauses over T(JF) by Rc = Uc^c^c', and Ic = Rc, i-c. Ic is the reflexive, 
transitive closure of Rc- Moreover, Ec = {s ^ <} if C = F ^ A, swt is a ground 
instance of a clause from N such that 

(1) s^t is a strictly maximal occurrence of an equation in C and s >- t, 

(2) s is irreducible by Rc, 

(3) T CIc, and 

(4) A n /c = 0. 

In this case, we say that C is productive or that C produces s — > t. Otherwise 
Ec = 0. Finally, we define a ground rewrite system Rn = Uc as the set of 
all produced rewrite rules and define the interpretation 2m over the domain T{!F) 
as In = '^Rn ■ The rewrite system Rjq is confluent and terminating. If N is 
consistent and saturated with respect to a complete inference system then Z/v is a 
minimal model of with respect to set inclusion. 

We will extend this construction of Im to constrained clauses in Section 3.2. 

Constrained Clause Sets and Their Models 

liV = {vi, ...,«„} and iV is a set of constrained clauses, then the semantics of N 
is that there is a valuation of the existential variables, such that for all valuations 
of the universal variables, the constraint of each constrained clause in N implies 
the respective clausal part: An interpretation M models N, written M \= N, iS 
there is a map a from the set of existential variables to the universe of A4,'^ such 
that for each (a || C) € A^, the formula Vxi, . . . , Xm.a C is valid in A4 under a, 
where xi, . . . ,a;,„ are the universal variables of a || C. In this case, M is called a 
model of A. If M is also a Herbrand interpretation over the signature J-^ of A^, we 
call A4 a Herbrand model of A^. 

For example, every Herbrand interpretation over the signature {0, s} is a model 
of {v~Q II □}, because instantiating v to s(0) falsifies the constraint. On the other 
hand, the set {u«0 || □, w«s(a;) || □} does not have any Herbrand models over {0, s} 
because each instantiation of w to a ground term over this signature validates one 
of the constraints, so that the corresponding constrained clause is falsified. 

Note that the existential quantifiers range over the whole constrained clause 
set instead of each single constrained clause. The possibly most surprising ef- 
fect of this is that two constrained clause sets may hold individually in a given 

^If is a Herbrand interpretation over the signature JF, then c : V — ► T{T) is a substitution 
mapping every existential variable to a ground term. 
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interpretation while their union does not. As an example, note that the inter- 
pretation {P(s(0))} models both constrained clause sets {v^x \\ P{x)} (namely 
for V I— > s(0)) and {v^x \\ P{s{x))} (namely for v i— > 0). However, the union 
{v^x II P{x), v~x II P{s{x))} is not modeled by {P(s(0))} because there is no in- 
stantiation of V that is suitable for both constrained clauses. 

Let M and N be two (constrained) clause sets. We write ^ M if each model 
of N is also a model of M . We write N M if the same holds for each Herbrand 
model of N over T, and N |=7„d if In \= M. A constrained clause set is 
satisfiable if it has a model, and it is satisfiable over T if it has a Herbrand model 
over T . 

Inference Rules and Redundancy 

An inference rule is a relation on constrained clauses. Its elements are called 
inferences and are written as^ 

ai II Ci ... OLk II Cfc 

a||C 

The constrained clauses ai || Ci, . . . , || are called the premises and a || C the 
conclusion of the inference. An inference system is a set of inference rules. An 
inference rule is applicable to a constrained clause set N if the premises of the rule 
are contained in N. 

A ground constrained clause a || C is called redundant with respect to a set N 
of constrained clauses if there are ground instances a || Ci, . . . , a || C/t (with the 
common constraint a) of constrained clauses in N such that d -< C for all i and 
Ci, . . . , Cfc \= C.^ A non-ground constrained clause is redundant if all its ground 
instances are redundant. A ground inference with conclusion /3 || i? is called redun- 
dant with respect to N if either some premise is redundant or if there are ground 
instances /3 || Ci, . . . , /3 || Cfc of constrained clauses in N such that Ci, . . . , Cfc \= B 
and Ci, . . . , C„ are smaller than the maximal premise of the ground inference. A 
non-ground inference is redundant if all its ground instances are redundant. 

A constrained clause set N is saturated (with respect to a given inference system) 
if each inference with premises in N is redundant with respect to N . 

Predicates 

Our notion of (constrained) clauses does not natively support predicative atoms. 
However, predicates can be included as follows: We consider a many-sorted frame- 
work with two sorts term and predicate^ where the predicative sort is separated 
from the sort of all other terms. The signature is extended by a new constant true 
of the predicative sort, and for each predicate P by a function symbol fp of sort 
term, . . . , term — > predicate. We then regard a predicative atom P{ti, . . . , tn) as an 
abbreviation for the equation /p(ii, . . . , tn)~true. As there are no variables of the 
predicative sort, substitutions do not introduce symbols of this sort and we never 



^Inference rules are sometimes marked by the letter X to differentiate them from reduction rules, 
marked by TZ, where the premises are replaced by the conclusion. Since all rules appearing in this 
article are inference rules, we omit this marker. 
^Noto that \= and \=jr agree on ground clauses over JF. 
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explicitly express the sorting, nor do we include predicative symbols when writing 
down signatures. 

A given term ordering -< is extended to the new symbols such that true is minimal. 
3. FIRST-ORDER REASONING IN FIXED DOMAINS 

In this section, we will present a saturation procedure for sets of constrained clauses 
over a domain T{J^) and show how it is possible to decide whether a saturated 
constrained clause set possesses a Herbrand model over T. The calculus extends 
the superposition calculus of Bachmair and Ganzinger [Bachmair and Ganzinger 
1994]. 

Before we come to the actual inference rules, let us review the semantics of 
constrained clauses by means of a simple example. Consider the constrained clause 
set 

{ II -^G{s{x),0) , 

uK.x,vKy II G{x,y) } 

over the signature ^nat = {s, 0}. 

This constrained clause set corresponds to the formula 3u,v.{^x.G{s{x),Q)) A 
—•G(u,v). In each Herbrand interpretation over J^nat, this formula is equivalent to 
the formula 3u, v.(\/x.G{s[x),Q))/\^G{u, v) /\i\/x.u^s{x)\J v^O), which corresponds 
to the following constrained clause set: 

{ II ^G(s(x),0), 

uKx,vf=iy II G{x,y) , 
u^s{x),vRiO II □ } 

Hence these two constrained clause sets are equivalent in every Herbrand interpre- 
tation over the signature J-'nat- 

An aspect that catches the eye is that, although the clausal part of the last 
constrained clause is empty, this does not mean that the constrained clause set is 
unsatisfiable over ^nat- The □ clause is constrained by uKis{x) Aw~0, which means 
that, e.g., it is not satisfiable under the instantiation u i— > s(0) and v i—> 0. In fact, 
the instantiated formula (Vx.G(s(a;), 0)) A -G(s(0),0) A (Va;.s(0)^s(x) V 0^0) is 
unsatisfiable. On the other hand, the clause set is satisfiable under the instantiation 
u ^ and v > s(0). 

Derivations using our calculus will usually contain multiple, potentially infinitely 
many, constrained clauses with empty clausal parts. We explore in Theorem 3.12 
how the unsatisfiability of a saturated set of constrained clauses over J- depends 
on a covering property of the constraints of constrained clauses with empty clausal 
part. In Theorem 3.6, we prove that this property is decidablc for finite constrained 
clause sets. Furthermore, we show how to saturate a given set of constrained clauses 
(Theorem 3.16). Finally, we present in Section 3.3 an extension of the calculus that 
allows to deduce a wider range of Herbrand models of jF-satisfiable constrained 
clause sets. 

3.1 The Superposition Calculus for Fixed Domains 

We consider the following inference rules, which are defined with respect to a re- 
duction ordering -< on T(jF, X) that is total on ground terms. Most of the rules 
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are quite similar to the usual superposition rules [Bachmair and Ganzinger 1994], 
just generalized to constrained clauses. However, they require additional treatment 
of the constraints to avoid inferences like 

u~f{x) II -> a~b u^g(y) \\ aftic 
UK,f{x),UKig{y) II fesdc 

the conclusion of which contains the existential variable u more than once in its 
constraint and hence is not a constrained clause. In addition, there are two new 
rules that rewrite constraints. 

To simplify the presentation below, we do not enrich the calculus by the use of 
a negative literal selection function as in [Bachmair and Ganzinger 1994], although 
this is also possible. As usual, we consider the universal variables in different 
appearing constrained clauses to be renamed apart. If ai = wi«si, . . . , w„ws„ 
and a2 ~ . . . , Vn~tn arc two constraints, wc write ai~a2 for the equations 

si«ti, . . . , s„wt„, and mgu(ai,Q;2) for the most general simultaneous unifier of 
(si, ti), . . . , (s„, tn). Note that ai«a2 does not contain any existential variables. 

Definition 3.1. The superposition calculus for fixed domains SFD consists of the 
following inference rules: 

— Equality Resolution: 

a\\T,sRit^ A 
(a||r ^ A)(T 

where (i) cr = mgu(s,t) and (ii) (swt)o' is maximal in (F, s«t A)aJ 

— Equality Factoring: 

a II r A, swi, s'wt' 
{a\\r,tKt' A,s'wt')CT 

where (i) a — mgu(s,s'), (ii) {s^t)a is maximal in (F — > A, s^t, s'fvt')a, and (iii) 
ta ^ scr 

— Superposition, Right: 

ai llFi ^ Ai,^^r a2 \\T2 ^ A2, s[l']p^t 
{ai II Fi, r2 ^ Ai, A2, s[r]p^t)aia2 

where (i) cti = mgu(/,/'), a2 — mgu(Q!icri, Q;2cri), (ii) (l~r)aicr2 is strictly maximal 
in (Fi Ai, Z«ir)cri(T2 and {s~t)aia2 is strictly maximal in (F2 —>■ A2, swt)cricr2, 
(iii) r(Ti(72 ^ lcria2 and taia2 ^ and (iv) I' is not a variable. 

— Superposition, Left: 

ai||Fi^Ai,^»r a2 \\T 2, s[l%^t ^ A2 
(ai II Fi,F2, s[r]pKit —>■ Ai, A2)(Tia-2 

where (i) ai ~ mgu(i,Z'), C72 = mgu(Q:icri, Q!2cri), (ii) {l~r)aia2 is strictly maximal 
in (Fi Ai,l^r)aia2 and (.s«i)(Ticr2 is maximal in (r2 A2, sRit)cricr2, (iii) 
rcri(T2 ^ luia2 and taia2 ^ saia2, and (iv) I' is not a variable. 



^Noto that we do not consider the constraint part for the maximahty condition. 
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— Constraint Superposition: 

ai\\Ti^ Ai,l^r azj/^] || Fa ^ A2 
{a2[r] II Q;i«a2[r],ri,r2 Ai, A2)ct 

where (i) a = Tag\i(l,l'), (ii) (^«?')cr is strictly maximal in (Fi Ai, ^!=ar)a, (iii) 
ra la, and (iv) I' is not a variable. 

— Equality Elimination: 

ai||r^A,^^r aalr'] II □ 

(ai II r A)(Tl(T2 

where (i) cti = mgu(r, r'), (T2 = mgu(Q!i(Ti, Q;2[^]cri), (ii) (^«r)cri(T2 is strictly maxi- 
mal in (r — > A,lwr)ai<72, (iii) fo'io'2 ^ ?o'icr2! and (iv) r' is not a variable. 

This inference system contains the standard universal superposition calculus as 
the special case when there are no existential variables at all present, i.e. V — 
and all constraints are empty: The rules equality resolution, equality factoring, and 
superposition right and left reduce to their non-constrained counterparts and the 
constraint superposition and equality elimination rules become obsolete. 

While the former rules are thus well-known, a few words may be in order to 
explain the idea behind constraint superposition and equality elimination. They 
have been introduced to make the calculus refutationally complete, i.e. to ensure 
that constrained clause sets that are saturated with respect to the inference system 
and that do not have a Herbrand model over the given signature always contain 
"enough" constrained empty clauses (cf. Definition 3.4 and Theorem 3.12). 

A notable feature of constraint superposition is how the information of both 
premise constraints is combined in the conclusion. Classically, the existential vari- 
ables would be Skolemized and the constraint of a constrained clause would be 
regarded as part of its antecedent. In this setting, superpositions into the con- 
straint part as considered here would not even require a specialized rule but occur 
naturally in the following form: 

ai,Ti~^ Ai,l^r a2[/^],r2^A2 
(ai,Q;2[r],ri,r2 Ai, A2)cr 

Translated into the language of constrained clauses, the conclusion would, however, 
not be a well-formed constrained clause. In most inference rules, we circumvent this 
problem by forcing a unification of the constraints of the premises, so that we can 
use an equivalent and admissible conclusion. For constraint superposition, this 
approach turns out to be too weak to prove Proposition 3.8. Therefore, we instead 
replace ai by ai«a2[r] in this inference rule to regain an admissible constrained 
clause. 

The resulting constraint superposition rule alone is not sufficient to obtain refu- 
tational completeness. Abstractly speaking, it only transfers information about the 
equality relation from the clausal part into the constraint part. For completeness, 
we also need a transfer the other way round. Once we find terms that cannot be 
solutions to the existcntially quantified variables, we have to propagate this infor- 
mation through the respective equivalence classes in the clausal part. The result is 
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the rule equality elimination, which deletes equations that arc in conflict with the 
satisfiability of constrained empty clauses. 

The rules constraint superposition and equality elimination arc the main reason 
why SFD can manage theories that arc not constructor-based, i.e. where the calculus 
cannot assume the irreducibility of certain terms. 

Example 3.2. Constraint superposition and equality elimination allow to derive, 
e.g., u^b II □ from u^ib \\ a^b and uwa || □, although u^a and u^b arc not unifi- 
able: 

If 6 )^ a, then u~b || n is derived by one step of equality elimination: 

Mw6 II ^ 5«a uRia||n 

Equality Elimination 



ufubW □ 

Otherwise, u«&|| □ follows from a step of constraint superposition and the subse- 
quent resolution of a trivial equality: 

II a^b u,«a || □ 



Constraint Superposition 



i6 II b^b^ 

Equality Resolution 



MW6 II □ 

O 

When we work with predicative atoms in the examples, we will not make the 
translation into the purely equational calculus explicit. If, e.g., P is a predicate 
symbol that is translated into the function symbol /p, we write a derivation 

aill Ti^Ai, /p(si, . . . , s„)»irMe a2 || Ea, /p(ti, . . . , t„)wirMe A2 

— — buperposition 

[ai \\Ti,r2, trueKitrue ^ Ai,A2)aia2 ^ , 

— — Equality Resolution 

(ai ||ri,F2 Ai, A2)crio-2 

consisting of a superposition into a predicative atom and the subsequent resolution 
of the atom true~true in the following condensed form: 

ai II Fi ^ Ai, P(si, ...,sn) a2 \\ Fa, P{ti, . . . , i„) ^ A2 ^ 
— — — — Superposition 

(ai II I 1,1 2 ^ Ai, A2)(7l(72 



Example 3.3. For a simple example involving only superposition on predica- 
tive atoms, consider the clause set Ne — G{a,p), — > G{b,q), G{a,x) — > 
C{a,x), C{a,x) R{a,x), G{b,x) R{b,x)} that describes the elevator ex- 
ample presented in the introduction, and additionally the two constrained clauses 
u^x, v^y II x) and uRix, v^y \\ G(?/, x). These clauses state that there are 
a person and an elevator, such that the person can reach the ground floor but not 
the restaurant floor in this elevator. 

Assume a term ordering ~< for which G{y,x) ~< G{y,x) < R{y,x). With this 
ordering, the succedent is strictly maximal in each clause of Ne- Because superpo- 
sition inferences always work on maximal atoms (condition (ii)), only two inferences 
between the given constrained clauses are possible: 

C{a,x) R{a,x) u!vx,v^y \\ R{y,x) ^ 
ufvx, v^a II C(a, x) 
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G{b,x) ^ R{b,x) uwa;, wwy II i?(y, x) —> 
urvx, vKib II G{b^ x) — > 

The first conclusion can now be superposed with the third clause of Ne- 
G{a,x) ^ C{a,x) t;«a || C(a, a;) —> 

u^x, v~a II G(a, x) 

The last two conclusions can in turn be superposed with the constrained clause 
uKix.vTuy II G{y,x): 

u~x, v~y II G{y, x) up^x, v~a \\ G{a, x) — > 
uKx^ vKia II □ 

uKix, v~y II —^ G{y, x) u^ix, v^b \\ G{b, x) — > 
uwa;, v^b \\ □ 

Now the only remaining SFD inferences are those between the constrained clauses 
— > G{a,p) and u^x, v~a \\ G{a, x) —>■ and between the constrained clauses G{b, q) 
and uKix,vKib\\G{b,x) — ». They both result in clauses that are redundant with 
respect to the last two conclusions. Hence the inferences themselves are redundant, 
which means that they do not give us any new information on the system, and we 
can ignore them. 

In order to present such a series of inferences in a more concise manner, we will 
write them down as follows, where all constrained clauses are indexed and premises 
to an inference are represented by their indices: 



clauses in Ne 


1 










1 


^G{a,p) 




2 










1 


^G{b,q) 




3 










1 Gia,x) 


C{a, x) 




4 










\ C(a,x) 


— > i?(a, x) 




5 










1 G(&,x) 


R{b,x) 


additional clauses 


6 










1 R{y,x) 






7 




SX 






1 


^G(2/,x) 


Superposition(4,6) = 


= 8 




SX 




aa 


1 C{a,x) 




Superposition(5,6) = 


= 9 




SX 




a6 


Gib,x) 




Superposition(3,7) = 


10 




SX 




aa 


1 G(a,x) 




Superposition(7,9) = 


11 


W? 


SX 


DP 


a6 


1 


□ 


Superposition(7,10) ~ 


12 




ax 


f p 


aa 


1 


□ 



3.2 Model Construction and Refutational Completeness 

By treating each constraint as a part of the antecedent, constrained clauses can 
be regarded as a special class of unconstrained clauses. Because of this, the con- 
struction of a Hcrbrand interpretation for a set of constrained clauses is strongly 
connected to the one for universal clause sets [Bachmair and Ganzinger 1994]. The 
main difference is that we now have to account for existential variables before 
starting the construction. To define a Herbrand interpretation of a set N of 
constrained clauses, we proceed in two steps: First, wc identify an instantiation 
of the existential variables that does not contradict any constrained clauses with 

ACM Tlansactions on Computational Logic, Vol. V, No. N, November 2009. 



14 • M. Horbach and C. Weidenbach 

empty clausal part, and then we construct the model of a set of unconstrained 
clause instances. 

Definition 3.4 Coverage. Given a set N of constrained clauses, we denote the 
set of all constraints of constrained clauses in A'^ with empty clausal part by Am, 
i.e. An = {a\{a \\ □) e N}. We call An covering if every ground constraint over 
the given signature is an instance of a constraint in An- 

Furthermore, we distinguish one constraint aN- If An is not covering, then let 
aN be a minimal ground constraint with respect to -< such that un is not an 
instance of any constraint in An- Otherwise let ajv be arbitrary. 

Definition 3.5 Minimal Model of a Constrained Clause Set- Let A'^ be a set of 
constrained clauses with associated ground constraint ajy. The Herbrand inter- 
pretation 2^" is defined as the minimal model of the unconstrained clause set 
{C(J I (a II C) G A aa ~ aN} as described in Section 2. We usually do not men- 
tion aN explicitly and write Xn for if no ambiguities arise from this. 

Note that even if An is not covering, ajv is usually not uniquely defined. E.g. for 
the constrained clause set N = {uRiO, wwO || □} over T = {0, s}, it holds that 
An = {{u^O,vKiO)] and both a]^ = {mwO, vw.s(0)} and aj^ = {7i?a.s(0), u~0} are 
valid choices. When necessary, this ambiguity can be avoided by using an ordering 
on the existential variables as a tie breaker. 

While it is well known how the construction of Xn works once oat is given, it 
is not that obvious that it is decidable whether An is covering and, if it is not, 
effectively compute aN- This is, however, possible for finite An'- 

Theorem 3.6 Decidability of Finite Coverage. Let N be a set of con- 
strained clauses such that An is finite. It is decidable whether An is covering, 
and aN is computable if An is not covering. 

Proof. Consider the formula 

{vifati,...,v„~t„ II n)i£N 

and let {xi, . . . , Xm} C X be the set of universal variables occurring in $. The set 
An is not covering if and only if the formula Vxi, . . . , x,„.$ is satisfiable in T{J-). 
Such so-called disunification problems have been studied among others by Comon 
and Lescannc [Comon and Lescannc 1989], who gave a terminating algorithm that 
eliminates the universal quantifiers from Va;i, . . . , a;„j.$ and transforms the initial 
problem into a formula V ... V m > 0, such that each is of the shape 

= 3m.Wi«Si a ... a Vn~Sn A Zi'^s'^ A ... A Zk^s'f. , 

where wi , . . . , i;„ occur only once in each 5* j , the Zi are variables and Zi^ s\. This 
is done in such a way that (un-)satisfiability in X{J-) is preserved. The formula 
^'i V ... V '^m is satisfiable in T{T) if and only if the disjunction is not empty. All 
solutions can easily be read off from the formula. O 

For saturated sets, the information contained in the constrained empty clauses 
is already sufficient to decide whether Herbrand models exist: Specifically, we will 
now show that a saturated constrained clause set N has a Herbrand model over 
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T (namely Xyv) if and only if Aj^ is not covering. In this case. Zjv is a min- 
imal model of {Co | (a |[ C) G A ao = ofAr}, and we will also call it the mini- 
mal model of N (with respect to ajq)- Observe, however, that for other choices 
of aN there may be strictly smaller models of N with respect to set inclusion: 
For = { II ^ P{s{Q)), uKx || ^ P(x)}, we have un = u«0 and In = = 
{P(0),P(s(0))}, and In strictly contains the model {P(s(0))} of N that corre- 
sponds to the constraint itws(O). 

Since Xn is defined via a set of unconstrained clauses, it inherits all properties 
of minimal models of unconstrained clause sets. Above all, we will use the prop- 
erty that the rewrite system Rn constructed in parallel with In is confluent and 
terminating. 

Lemma 3.7. Let N he saturated with respect to the inference system SFD. If An 
is not covering then un is irreducible by Rn ■ 

Proof. Assume contrary to the proposition that An is not covering and aN 
is reducible. Then there are a position p and a rule la ra ^ Rn produced by 
a ground instance (/3 || A — > 11, lK,r)a of a constrained clause /3 || A ^ 11, l^ir G N ^ 
such that la = aN\p- 

Because of the minimality of and because un >- oiN[ra\p^ there must be a 
constrained clause 7 || □ G A^ and a substitution a' such that ^a' KaN[ra]p. Since 
by definition un is not an instance of 7, the position p is a non-variable position 
of 7. Since furthermore [3a = aN = 70''[/cr]j, and cr is a unifier of 7|p and r and 
7(t'|p = ra, there is an equality elimination inference as follows: 



of this derivation is redundant. The first premise cannot be redundant because it is 
productive; the second one cannot be redundant because there are no clauses that 
are smaller than □. This means that the constrained clause (/? || A n)cr follows 
from ground instances of constrained clauses in N all of which are smaller than the 
maximal premise (/? || A ^ Il,l^r)a. But then the same ground instances imply 
(/3 II A — > n, lK,r)a, which means that this constrained clause cannot be productive. 
A contradiction. O 

Lemma 3.8. Let N he saturated with respect to SFD and let An not he covering. 
If In y= N and if (a \\ C)a is a minimal ground instance of a constrained clause in 
N such that In y= (pt || C)(7, then aa ^ on- 

Proof. Let C ~ T ^ A. By definition of entailment. In ^ (a || C)a im- 
plies that In \= aN~cta, or equivalently aN '^Rn Q^f- We have already seen in 
Lemma 3.7 that aN is irreducible. Because of the confluence of Rn, either aa = aN 
or aa must be reducible. 

Assume the latter, i.e. that aa\p = la' for a position p and a rule la' ra' G Rn 
that has been produced by the ground instance (/3 || A — > 11, lKir)a' of a constrained 




Cri(T2 



ai = mgu(7|p,r), 02 = mgu(/3cri, 7[;]pCri) 



Because of the saturation of N , the groimd instance 

(/3||A-.n,/^r)a (7l|aK 
(/3||A^n)<7 
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clause 11 A ^ n, Ifvr £ iV. If p is a variable position in a or not a position in a at 
all, then the rule actually reduces a, which contradicts the minimality of {a \\ C)a. 
Otherwise, there is a constraint superposition inference 

/3||A^n,Z«r a||r->A 

(«H,||/3««H„A,r^n,A)r ^ = ^^^s^^""-^) ' 

Consider the ground instance 5\\D := {a[r\p \\ /3wa[r]p, A, F — > E, /S)aa' of the con- 
clusion. This constrained clause is not modeled by In- On the other hand, that N 
is saturated implies that the ground inference 

(/3 II A ^ n, ;«r)CT' (a||r^A)a 
(aHp||/3«a[r]p,A,r->n, A)aa' 

is redundant. The premises cannot be redundant, because (/3 1| A — s- 11, l!^r)a' is 
productive and (a || C)tT is minimal, so the constrained clause S \\ D follows from 
ground instances of constrained clauses of TV all of which are smaller than (5 1| D. 
Since moreover 6\\D ^ {a\\C)a, all these ground instances hold in Xjv, hence 
Xjv 1= II by minimality of (a || C)a. This is a contradiction to In ^ S\\ D. O 

Proposition 3.9. Let N be a set of constrained clauses such that N is saturated 
with respect to SFD and An is not covering. Then In \= N . 

Proof. Assume, contrary to the proposition, that N is saturated. An is not 
covering, and In ^ N. Then there is a minimal ground instance {a \\ C)a of a 
constrained clause a\\C e N that is not modeled by In- We will refute this 
minimality. We proceed by a case analysis of the position of the maximal literal in 
Cct. As usual, we assume that the appearing constrained clauses do not share any 
non-existential variables. 

— C = F, s«i — > A and sa^ta is maximal in Ccr with sa = ta. Then s and t 
are unifiable, and so there is an inference by equality resolution as follows: 

a\\T,s^t^A 

—— — — (71 = mgu(s,t) 

(a II r AjCTi 

Consider the ground instance (a || F — > A)cr of the conclusion. From this con- 
strained clause, a contradiction can be obtained as in the proof of Lemma 3.8. 

— C = F, swt — > A and sawta is maximal in Ca with sa >- ta. Since In ^ Ca, 
we know that sa^ta G In, and because Rn only rewrites larger to smaller terms 
sa must be reducible by a rule la'^ra' Rn produced by a ground instance 
(/? II A ^ n, lK,r)a' of a constrained clause /3 || A — > H, Z«r G N . So scrip = la' for 
some position p in sa. 

Case 1: p is a non-variable position in s. Since j3a' — aN = cia and scrip = la' , 
there is an inference by left superposition as follows: 

/3||A^n,Z«7- a||F,s«t-^A 



(a||A,F,s[r]p«i->n,A)aia2 



CTi :=mgu(s|p,0, 0-2 = mgu(/3cri , oicri) 



As before, a contradiction can be derived from the existence of the ground instance 
[a II A, F, s[r]pWt — > H, A)crcr' of the conclusion. 

Case 2: p = p'p", where s|p' = a; is a variable. Then (a;cr)|p/' = la. If t is the 
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substitution that coincides with a except that xt = xcr[r<7]p'i , then Tn y= Ct and 
{a II C)t contradicts the minimaUty of (a || C)<j. 

— C = r ^ A, s«i and sa~ta is maximal in Ca with sa = ta. This cannot 
happen because then Ca would be a tautology. 

— C = r — > A, s~t and sa^ta is strictly maximal in Ca with scr >- ta. Since 
^ Ca, we know that Zat |= Fct, ^ Act, and Xn ^ sa^ata, and thus C did not 

produce the rule sa ta. The only possible reason for this is that sa is reducible 
by a rule la'^ra' G i?Ar produced by a ground instance (/? || A — > 11, l^r)a' of a 
constrained clause /? || A ^ 11, ^wr e N. So 5ct|p — /ct' for some position p in sa. 
Case 1: p is a non-variable position in s. Since Pa' = = OLa and sct|p = la' , 
there is an inference by right superposition as follows: 



As before, a contradiction can be derived from the existence of the ground instance 
{a II A, r ^ n. A, s[r]p«t)CTCT' of the conclusion. 

Case 2: p = pV, where s|p' = x is a variable. Then (a;CT)|p" = la' . If r is the 
substitution that coincides with a except that xt = xa[ra']p" , then Xn ^ Ct and 
Ct contradicts the minimality of Ca. 

— C = r ^ A, swt and saK.ta is maximal but not strictly maximal in Ca with 
sa >- ta. Then A = A', s'wt' such that s'a~t'a is also maximal in Cct, i.e. without 
loss of generality sa — s'a and ta = t'a. Then there is an inference by equality 
factoring as follows: 



In analogy to the previous cases, a contradiction can be derived from the existence 
of the ground instance (a || F, twt' A', s'Kit')a of the conclusion. 

— Cct does not contain any maximal literal at all, i.e. C = □. Since aa — 
by Lemma 3.8 but In ^ q;ct«q;jv by definition of a^r, this cannot happen. 

Since we obtained a contradiction in each case, the initial assumption must be false, 
i.e. the proposition holds. O 

For the construction of In, we chose ctAr to be minimal. For non-minimal ajq, 
the proposition does not hold: 

Example 3.10. If = {wssa || — > a«6, up^h \\ a^b and a )^ b, then no infer- 
ence rule from SFD is applicable to N, so N is saturated. However, N implies 
u~a II □. So the Herbrand interpretation constructed with a'^y = {u~a} is not a 
model of N. O 

On the other hand, whenever N has any Herbrand model over J- then is not 
covering: 

Proposition 3.11. Let N be a set of constrained clauses over J- for which An 
is covering. Then N does not have any Herbrand model over T . 



/3||A-^H,/?ar a |1 F A, swi 
(all A,F ^H,A,s[r]pWt)CTiCT2 



CTi := mgu(s|p, /), CT2 = mgu(/3CTi, QfCTi) 



a||F^ A',swt,s'«t' 



CTi ~ mgu(s, s') 



(a||F,i«i' ^ A',s'«t')cri 
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Proof. Let M he a, Hcrbrand model of over T. 
Then M h {(" II °) I (" II °) ^ N}, i.e. there is a substitution a: V T{T), such 
that for aU (a 1| □) G iV and aU t: X ^ ^(•^), M \= aar impUes M \= U. Since 
the latter is false, M. \= ^aoT for all r, and so ^ ^acr. The same holds 
for the Herbrand model over T where w is interpreted as syntactic equality, 
i.e. hA^ 1= -lacr. But then the constraint l\y^yVK,v(j is not an instance of the 
constraint of any constrained clause of the form a || □, so A-^ is not covering. O 

A constrained clause set N for which A-^ is covering may nevertheless have both 
non-Herbrand models and Herbrand models over an extended signature: \iT ^ {a} 
and N = {uwa || □} then Aj^ is covering, but any standard first-order interpretation 
with a universe of at least two elements is a model of N . 

Propositions 3.9 and 3.11 constitute the following theorem: 

Theorem 3.12 Refutational Completeness. Let N be a set of constrained 
clauses over T that is saturated with respect to SFD. Then N has a Herbrand model 
over T if and only if A^ is not covering. 

Moreover, the classical notions of (first-order) theorem proving derivations and 
fairness from [Bachmair and Ganzinger 1994] carry over to our setting. 

Definition 3.13 Theorem Proving Derivations. A (finite or countably infinite) 
\==jr theorem proving derivation is a sequence Nq, Ni, . . . of constrained clause sets, 
such that either 

— (Deduction) iV,+i ^ N,U {a\\C} and N,\=jr N,+i, or 

— (Deletion) AT^+i ^ Ni\{a \\ C} and a || C is redundant with respect to Ni. 

If iV is a saturated constrained clause set for which A^ is not covering, a \=ind the- 
orem proving derivation for iV is a sequence Nq,Ni, ... of constrained clause sets 
such that N C Nq and either 

— (Deduction) iV,+i ^N,U{a \\ C} and N \=jnd N, <=^ N ^/nd N,+i, or 

— (Deletion) Ni+i ^ Ni\{a \\ C} and a || C is redundant with respect to Nj,. 

Due to the semantics of constrained clauses and specifically the fact that all 
constrained clauses in a set are connected by common existential quantifiers, it does 
not suffice to require that Ni a\\C (or Ni \=ind ct \\ C, respectively). E.g. for 
the signature J- — {a, b} and a ^ b, the constrained clause a || C = ww.t || a;«6 
is modeled by every Hcrbrand interpretation over J-, but || — > a;Ria} ^i„d 

{w«.T II ^ x^a} U {a II C}. 

Our calculus is sound, i.e. we may employ it for deductions in both types of 
theorem proving derivations: 

Lemma 3.14. Let a || C be the conclusion of a SFD inference with premises in 
N. Then Nt ^ Nt U {ar Ct} for each substitution t: V ^ T(T). 

Proof. This proof relies on the soundness of paramodulation, the unordered 
correspondent to (unconstrained) superposition [Nieuwenhuis and Rubio 2001]. 

Let a II C be the conclusion of an inference from ai || Ci , 0:2 || Ci G N . Then olt 
Ct is (modulo (unconstrained) equality resolution) an instance of the conclusion 
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of a paramodulation inference from aiT — > Cit and — > C2T. Because of the 
soundness of the paramodulation rules, we have Nt ^ Nt U {ar — ^ Cr}. O 

Proposition 3.15 Soundness. The calculus SFD is sound for |=jr and \^ind 
theorem proving derivations: 

(1) Let a II C be the conclusion of a SFD inference with premises in N. Then 
N A^U{a||C}. 

(2) Let N be saturated with respect to SFD, let not be covering, and let a || C he 
the conclusion of a SFD inference with premises in N U N' . Then N |=/„(i N' 
if and only if N (=/„d N' U {a \\ C}. 

Proof. This foUows directly from Lemma 3.14. O 

A \=y^ or \=i„d theorem proving derivation No,Ni, ... is fair if every inference 
with premises in the constrained clause set iVoo = IJj C\k>j redundant with 

respect to IJ^- Nj. As usual, fairness can be ensured by systematically adding con- 
clusions of non-redundant inferences, making these inferences redundant. 

As it relies on redundancy and fairness rather than on a concrete inference system 
(as long as this system is sound) , the proof of the next theorem is exactly as in the 
unconstrained case: 

Theorem 3.16 Saturation. Let Nq, Ni, N2, . . . be a fair theorem proving 
derivation. Then the set N^c is saturated. Moreover, Nq has a Herbrand model 
over T if and only if Noo does. 

Let Nq, Ni, ... be a fair \=ind theorem proving derivation for N . Then the set 
N U iVoo is saturated. Moreover, N \=ind Nq if and only if N \=ind -^00 • 

Example 3.17. Consider again the example of the elevator presented in the in- 
troduction. We will now prove that Vy, x.G{y, x) R{y, x) is valid in all Herbrand 
models of Ne over {a, 6}, i.e. that Ne U {-^y, x.G{y, x) R{y, x)} does not have 
any Herbrand models over {a, 6}. Following the line of thought presented above, 
we transform the negated query into the constrained clause set 

{ wwa;, vKiy II R{y, x) ww-t, w«y || G{y, x) } 

and then saturate Ne together with these clauses. This saturation is exactly what 
we did in Example 3.3. The derived constrained empty clauses are u~x,vKa \\ □ 
and u^x, v~b \\ □. Their constraints are covering for {a, b}, which means that the 
inital constrained clause set does not have any Herbrand models over {a, 6}, i.e. that 
Ne h{a,b} Vy, x.G{y, x) -> R{y, x). O 

3.3 Other Herbrand Models of Constrained Clause Sets 

A so far open question in the definition of the minimal model Xn is whether there 
is the alternative of choosing a non- minimal constraint a^- We have seen in Ex- 
ample 3.10 that this is in general not possible for sets N that are saturated with 
respect to our present calculus, but we have also seen after Theorem 3.6 that models 
corresponding to non-minimal constraints may well be of interest. Such a situation 
will occur again in Example 4.4, where knowledge about all models allows to find 
a complete set of counterexamples to a query. 
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To include also Herbrand models arising from non-minimal constraints, we now 
change our inference system. The trade-off is that we introduce a new and pro- 
lific inference rule that may introduce constrained clauses that are larger than the 
premises. This makes even the saturation of simple constrained clause sets non- 
terminating. E.g. a derivation starting from { || — > /(a)~a, u~a||-^P(a)} will 
successively produce the increasingly large constrained clauses 7i?»/(a) || P{ci), 
uK,f[f[a)) II — > P{a) and so on. 

The following two changes affect only this section. 

Definition 3.18. The calculus SFD^ arises from SFD by replacing the equality 
elimination inference rule by the following more general rule: 

ai||r^A,^^r a2[r']||r2^A2 
{a2[l] ||ai«a2H,ri,r2 ^ Ai,A2)a 

where (i) a — mgu(r, r'), (ii) luKira is strictly maximal in (F A,Z?»7')cr, (iii) 
rcr ^ la, and (iv) r' is not a variable. 

Note that in a purely predicative setting, i.e. when all equations outside con- 
straints are of the form tK,true, the separation of base sort and predicative sort 
prevents the application of both the original and the new equality elimination rule. 
So the calculi SFD and SFD+ coincide in this case. 

Definition 3.19. Let be a set of constrained clauses. If An is not covering, 
then let aiq be any ground constraint that is not an instance of any constraint in 
An (note that ajsi does not have to be minimal). Otherwise let a at be arbitrary. 

The Herbrand interpretation T^" is still defined as the minimal model of the 
unconstrained clause set {Ca | (a || C) G A aa ~ cun}- 

Since the proof of Lemma 3.7 depends strongly on the minimality of ajv, we have 
to change our proof strategy and cannot rely on previous results. 

Lemma 3.20. Let N be saturated with respect to SFD'^ . Assume that An is not 
covering and fix some un ■ If In ^ N , then there is a ground instance {a \\ C)a of 
a constrained clause in N such that Xn y= [pi || C)a and aa ~ oln ■ 

Proof. Let (a || C)a be the minimal ground instance of a constrained clause in 
such that Xn ^ (a || C)cr. We first show that we can restrict ourselves to the 
case where oln rewrites to acr using Kn and then solve this case. 

Xn ^ [oL II C)tT implies Xn \= aa-xaN, thus by confluence of Rn 

Oicr ao Rn ^ oiN , 

where ao is the normal form of a at under Rn- We show that aa = ao- 

If aa 7^ ao, then there is a rule la' — > ra' £ Rn that was produced by the ground 

instance (/3 || A ^ 11, l^r)a' of a constrained clause /3 || A ^ 11, Zwr G N such that 

aa[la']p ^r^ aa[ra']p. 

If p is a variable position in a or not a position in a at all, then the rule actually 

reduces a, which contradicts the minimality of (a || C)a- 
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So p must be a non- variable position of a. Let C — T ^ A. Then there is a 
constraint superposition inference as follows: 

PWA^UJ^r a\\T^A _ 
(aH, II (3^a[r]„ A, T ^ H, A)r " " ^^^"^"1^' 

The ground instance <5 1| -D := {a[r]p \\ /3saa[r]p, A, F — > 11, A)aa' of the conclusion 
is not modeled by In- On the other hand, because N is saturated, the ground 
instance 

(/3 II A -> n, ;«r)CT' (a||r-^A)a 
(a[r]p||/3«a[r]p,A,r^n, A)aa' 

of the above inference is redundant. The first premise cannot be redundant because 
it is productive; the second one cannot be redundant because of the minimality 
of (a II r — > A)(T. This means that the conclusion follows from ground instances 
of constrained clauses in N all of which arc smaller than the maximal premise 
(a II r — > A)(j. All these ground instances arc modeled by Tn, and so Tn h= <^ II -D. 

So whenever Tn ^ A^, there is a ground instance (a || C)(j of a constrained clause 
in N such that Z/v ^ || C)a and aa = ao. In particular -—^r^ ct'^- 

Let n S N be the minimal number for which there is a ground instance (a || C)cr 
of a constrained clause a || C = a || F — > A in A^ such that Tn ^ {en \\ C)<7 and un 
rewrites to aa via Rm in n steps, written un — >^ aa. We have to show that 
n = 0. 

Assume n > 0. Then the last step of the derivation aM ct<^ is of the form 

aa[la']p — Q;cr[rcr']p = aa, where the rule la' ra' € Rn has been produced 
by a constrained clause /3 || A ^ LI, l^ir G A^ with jSa' ~ aN- 

If p is a variable position in a or not a position in a at all, we write p = p'p" 
such that a|p' = a; is a variable. Let r be the substitution that coincides with a 
except that xt = xa[la']pii . Then In ^ || C)t and aN ctr contradicts the 

minimality of n. 

Otherwise there is an equality elimination inference as follows: 

/3||A^n,/wr a||L^A ^ , ^ 

f rn II r,i — ITj; ^ = mgu(a|p,r) 

{a[l]p II /3waHp, A, F ^ n, A)t 

The ground instance (5 1| D := {a[l]p \\ /?wa[Z]p, A, F ^ 11, A)aa' of the conclusion is 
not modeled by In- In particular. In \= S and In y= D- 

Since the inference, and hence also the constrained clause 5\\D is redundant, 
there are constrained clauses (5i || Di, . . . , (5m || Dm G A^ together with substitutions 
(Ti, . . . , am, such that 5 = 6iai for all i and Diai, . . . , Dmam \= D. This implies 
that In ^ {Si \\ Di)ai for at least one of the constrained clause instances {6i \\ Di)ai. 
Since aN ^^r^^ ^i^i = ^ = aa[la'], this contradicts the minimality of n. O 

With this preparatory work done, we can reprove Proposition 3.11 and Theo- 
rem 3.12 in this new setting: 

Proposition 3.21. Let N be a set of constrained clauses that is saturated with 
respect to SFD^ . Then Z^" |= A^ for any ground constraint a n that is not covered 
by An- 
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Proof. The proof is almost identical to the proof of Proposition 3.9. The only 
difference is that, instead of reasoning about the minimal ground instance (a || C)a 
of a constrained clause a\\C G N that is not modeled by In, we consider the 
minimal such instance that additionally satisfies aa = an- Lemma 3.20 states that 
this is sufficient. O 

Theorem 3.22 Refutational Completeness. Let N he a set of constrained 
clauses over T that is saturated with respect to SFD^ . Then N has a Herbrand 
model over T if and only if is not covering. 

4. FIXED DOMAIN AND MINIMAL MODEL VALIDITY 
OF CONSTRAINED CLAUSES 

Given a constrained or unconstrained clause set N , we are often not only interested 
in the (un)satisfiability of N (with or without respect to a fixed domain), but also 
in properties of Herbrand models of a over JF, especially of Im- These are not 
always disjoint problems: We will show in Proposition 4.1 that, for some N and 
queries of the form 3x.Ai A ... A An, first-order validity and validity in In coincide, 
so that we can explore the latter with first-order techniques. 

The result can be extended further: We will use our superposition calculus SFD 
to demonstrate classes of constrained clause sets N and H for which N \=^jr H and 
N \=ind H coincide (Proposition 4.2). Finally, we will look at ways to improve the 
termination of our approach for proving properties oHm (Theorem 4.9). 

In this context, it is important to carefully observe the semantics of, e.g., the 
expression N \=ind H when N is constrained. Consider for example the signature 
T = {a, b) with a)^b, Np = {u^x \\ P{x)} and Hp = {u^x \\ P{x) -^}. Then 
Np U Hp is unsatisfiable, but nevertheless Hp is valid in the model I^p = {P(6)}, 
i.e. Np ^ind Hp- These difficulties vanish when the existential variables in Np 
and Hp are renamed apart. 

4.1 Relations between ^, ^jr, and ^ind 

Even with standard first-order superposition, we can prove that first-order validity 
and validity in Xjv coincide for some N and properties P: 

Proposition 4.1. If N is a saturated set of unconstrained Horn clauses and P 
is a conjunction of positive literals with existential closure 3x.T , then 

N h/nd 3a;.P ^ iV h ^x.P . 

Proof. N ^ 3f .P holds if and only if the set A^U {Vf .-^P} is unsatisfiable. N is 
Horn, so during saturation of A^U{-iP}, where inferences between clauses in N need 
not be performed, only purely negative, hence non-productive, clauses can appear. 
That means that the Herbrand interpretation 1^' is the same for every clause set 
N' in the derivation. So U {-iP} is unsatisfiable if and only if N Y^ind Vx.-iP, 
which is in turn equivalent to N \=ind 3a;.P. O 

If N and P additionally belong to the Horn fragment of a first-order logic (clause) 
class decidable by (unconstrained) superposition, such as for example the monadic 
class with equality [Bachmair et al. 1993] or the guarded fragment with equal- 
ity [Ganzinger and Nivelle 1999], it is thus decidable whether N \=ind 3a;.P. 
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Given our superposition calculus for fixed domains, wc can show that a result 
similar to Proposition 4.1 holds for universally quantified queries. 

Proposition 4.2. If N is a saturated set of Horn clauses andV is a conjunction 
of positive literals with universal closure Vi/.F, then 

N h7„d w.r ^ AT Vw.r . 

Proof. N \=jr \fv.T holds if and only if U {Elt7.-ir} does not have a Herbrand 
model over JF. 

If U {3v.^r} does not have a Herbrand model over T, then obviously ^ind 
3v.^T. 

Otherwise, consider the constrained clause a || A ^ corresponding to the formula 
3i/.^r and assume without loss of generality that the existential variables in A^ and 
a are renamed apart. The minimal models of the two sets A^ and A^U{q || A are 
identical, since during the saturation of A^ U {a || A inferences between clauses 
in A^ need not be performed and so only purely negative, hence non-productive, 
constrained clauses can be derived. This in turn just means that A^ \^ind Jv.—F. O 

These propositions can also be proved using agruments from model theory. The 
shown proofs using superposition or SFD, respectively, notably the argument about 
the lack of new productive clauses, illustrate recurring crucial concepts of super- 
position-based inductive theorem proving. We will see in Example 4.4 that other 
superposition-based algorithms often fail because they cannot obviate the derivation 
of productive clauses. 

Example 4.3. We consider the partial definition of the usual ordering on the 
naturals given by A^g = G(s(0), 0), G{x, y) G{s{x), s{y))}, as shown in the 
introduction. We want to use Proposition 4.2 to check whether or not Nq |=jF„^t 
\/x.G{s{x), x). The first steps of a possible derivation are as follows: 



clauses in A^: 


1 






1 ^G(,s(0),0) 




2 






1 Gix,y) ^Gisix),siy)) 


negated conjecture: 


3 


us 


^X 


G{s{x),x) 


Superposition(l,3) ~ 


4 






□ 


Superposition(2,3) = 


5 




My) 


GMy),y) ^ 


Superposition(l,5) = 


6 




MO) 


□ 


Superposition(2,5) = 


7 


MP 




G{s{z),z) ^ 



In the sequel, we repeatedly superpose the constrained clauses 1 and 2 into (descen- 
dants of) the constrained clause 5. This way, we successively derive all constrained 
clauses of the forms ?iRis"(a;) || G{s{x), x) and uRi.s"(0) || □, where s"(0) denotes 
the n-fold application s(. . . s(s(0)) . . .) of s to 0, and analogously for s^{x). Since 
the constraints of the derived constrained □ clauses are covering in the limit, we 
know that Nq h.^„.t yx.G{s{x), x). O 

Using Proposition 4.2, we can employ the calculus SFD for fixed domain reasoning 
to also decide properties of minimal models. This is even possible in cases for which 
neither the approach of Ganzinger and Stuber [Ganzinger and Stuber 1992] nor the 
one of Comon and Nieuwenhuis [Comon and Nieuwenhuis 2000] works. 
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Example 4.4. Consider yet another partial definition of the usual ordering on 
the naturals given by the saturated set Nq = G{s{x), 0), G{x, s{y)) G{x, 0)} 
over the signature JF„at — {0, s}. We want to prove iV^ ^ind Vx, y.G{x, y). 

— We start with the constrained clause uKix,v^y \\ G{x,y) and do the fol- 
lowing one step derivation: 



clauses in iV: 1 
2 

negated conjecture: 3 
Superposition(1.3) = 4 



II ^G{six),0) 

II Gix,siy)) ^G(a;,0) 

u^x,v^y II G{x,y) 

ufiis{x),vRiO II □ 



All further inferences are redundant (even for the extended calculus SFD"*" from 
Section 3.3), thus the counter examples to the query are exactly those for which no 
constrained empty clause was derived, i.e. instantiations of u and v which are not 
an instance of {u i— > s{x),v i— > 0}. Hence, these counter examples take on exactly 
the form {m i— > 0, w ^ or {u t-^ ti,v ^ ■5(^2)} for any ti,t2 € T(^nat)- Thus we 
know that Nq ^jr„at \/x,y.G{x,y), and since the query is positive, we also know 
that N^j \^indyx,y.G{x,y). 

— In comparison, the algorithm by Ganzingcr and Stuber starts a derivation 
with the clause — > G{x,y), derives in one step the potentially productive clause 

G{x,0) and terminates with the answer "don't know". 
Ganzinger and Stuber also developed an extended approach that uses a predicate 
gnd defined by {— > gnd(O), gnd(x) gnd(s(x))}. In this context, they guard 
each free variable 2; in a clause of N and the conjecture by a literal gnd(a;) in 
the antecedent. These literals mimic the effect of restricting the instantiation of 
variables to ground terms over J-nat- The derivation then starts with the following 
clause set: 

clauses defining gnd: — > gnd(O) 

gnd(x) gnd(s(x)) 
modified TV: gnd(x) ^ G(s(x), 0) 

gnd(a::), gnd(y), G{x, s{y)) -> G{x, 0) 
conjecture: gad{x) , gad(jj) G{x,y) 

Whenever the conjecture or a derived clause contains negative gnd literals, one of 
these is selected, e.g. always the leftmost one. This allows a series of superposition 
inferences with the clause gnd(a;) — > gnd(s(x)), deriving the following infinite scries 
of clauses: 

gnd (x), gnd (y) -> G{x,y) 
gnd(xi),gnd(2/) G{s{xi),y) 
gnd(x2),gnd(y) -> G{s{s{x2)),y) 

The extended algorithm diverges without producing an answer to the query. 

— The approach by Comon and Nicuwenhuis fails as well. Before starting the 
actual derivation, a so-called /-axiomatization of the negation of G has to be com- 
puted. This involves a quantifier elimination procedure as in [Comon and Les- 
canne 1989], that fails since the head of the clause G{x,s{y)) G{x,0) does 
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not contain all variables of the clause: G is defined in the minimal model Z/y^ by 
G{x, y) [y = OAEIz.a; = s(z))V(y = QA3z.G{x, s{z))), so its negation is defined 

by-.G(x,2/) <;=^ (y 7^ OWz.a; 7^ s(z)) A (2/ 7^ OVVz.^G(a;,s(z))). Quantifier elim- 
ination simplifies this to ^G{x, y) (?/7^0Va; = 0)A(?/7^0V 'iz.^G{x, s{z))) 
but cannot get rid of the remaining universal quantifier: 

G{x,y) 4=^ {y = A3z.x ^ s{z)) 

V (y = 0A3z.G{x,s{z))) 
^Gix,y) ^ {y^Ovyz.x^siz)) 

A {y 7^ VV2.-G(a;,s(z))) 
<F=^ (y^OV (yz.x ^ s{z) A X = 0) by E{x) 

V {3w.\/z.x 7^ s{z) A X = s{w))) 
A (y 7^ VV2.-G(a;,s(z))) 

^ {y^OVx = by G2, UEi,^£ 

V {3w.\/z.x 7^ s{z) A X ~ s{w))) 
A (y 7^ VVz.-G(a;,s(z))) 

^{y^OVx^O) hyRi,D2,UE2, 
A (2/ 7^ VVz.-G(x, s(z))) UEuEEi,^£ 

The notation of the rules is taken from [Comon 1991]. Almost all rules are reduction 
or simplification rules. The only exception is the explosion rule E(x) which performs 
a signature-based case distinction on the possible instantiations for the variable x: 
either a; = or a; = s(t) for some term t. 

No rule is applicable to the last formula, but there is still a universal quantifier left. 
Hence the quantifier elimination is not successful. O 

The previous example can, alternatively, be solved using test sets [Bouhoula 1997; 
Bouhoula and Jouannaud 1997]. Test set approaches describe the minimal model 
of the specification by a set of rewrite rules in such a way that the query holds 
iff it can be reduced to a tautology (or a set thereof) by the rewrite rules. Such 
approaches rely on the decidability of ground reducibility [Plaistcd 1985; Kapur 
et al. 1991; Kounalis 1992; Comon and Jacquemard 1997]. 

Following Bouhoula and Jouannaud, Nq corresponds to the following term re- 
write system: 

G(s(a;),0) true 

G{x,Q)-^G{x,s{y)) 
G{0,y)^ false 

To prove Nq Y^ind ^x^y.G{x^y), the algorithm maintains a set of currently re- 
garded formulas with side conditions, which are all reducible to tautologies iff 
N'q \=ind Vx, y.G(x, y). It starts with the query {G{x,y)^true}. Using the rewrite 
splitting rule, a case distinction based on the possible applications of rewrite rules 
to G{x, y)Ktrue is performed. The result is the formula set 

{ trueKtrue if x = s(x') Ay = Q , 
G{x,y')^true ii y ^ Q Ay' ^ s{y") , 
false^true if xwO } . 

Since the last formula is not reducible to a tautology, TV Vx, y.G{x, y) follows. 
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Here is a second example where all previously mentioned methods fail: 

Example 4.5. The formula yx3y.x^0 G{x,y) is obviously valid in each Her- 
brand model of the theory = G{s{x),0), G{x,s{y)) — > G{x,0)} from Ex- 
ample 4.4 over the signature Tnat ~ {0, s}, i.e. Nq ^jf^^^ \/x3y.x!^0 — > G{x, y). In 
our inference system, this can again be proved in a two step derivation: 

clauses in A^: 1 : 

2 : 

negated conjecture: 3 : u~x 

4 : uKix 

Equality Resolution(3) = 5 : uwO 

Superposition(l,4) = 6 : u'^s{x) 

The constraints itwO and u«s(x) of the constrained empty clauses are covering, 
which proves that N'q \=J^^^^ yx.3y.x^0 G{x, y). 

However, all previous approaches based on implicit induction formalisms fail to 
prove even the weaker proposition N'^^ \^ind yx.By.x^^O —> G{x,y), because they 
cannot cope with the quantifier alternation. O 

4.2 Reasoning about Xat 

As wc have seen in Example 4.3, a proof of [=jr validity using SFD may require the 
computation of infinitely many constrained empty clauses. This is not surprising, 
because we have to show that an cxistentially quantified formula cannot be satisfied 
by a term-generated infinite domain. In the context of the concrete model Tn of a 
saturated and .F-satisfiable constrained clause set iV, we can make use of additional 
structure provided by this model. To do so, we introduce a further inference that 
enables the termination of derivations in additional cases. The given version of this 
rule is in general not sound for \==jr but glued to the currently considered model Xn; 
however, analogous results hold for every Herbrand model of N over and even 
for arbitrary sets of such models, in particular for the set of all Herbrand models 
of N over T. 

Over any domain where an induction theorem is applicable, i.e. a domain on 
which a (non-trivial) well-founded partial ordering can be defined, we can exploit 
this structure to concentrate on finding minimal solutions. We do this by adding 
a form of induction hypothesis to the constrained clause set. If, e.g., P is a unary 
predicate over the natural numbers and n is the minimal number such that P{n) 
holds, then we know that at the same time P{n — 1), P{n — 2), ... do not hold. This 
idea will now be cast into an inference rule (Definition 4.7) that can be used during 
a SFD-based \=ind theorem proving derivation (Theorem 4.9). 

Let < be a well-founded partial ordering on on the elements of Xn, i.e. on 
X{J-)/*-^ii^. If s,t are non-ground terms with equivalence classes [s] and [t], 
then we define [s] < [t] if and only if [stj] < [ta] for all grounding substitutions 
a: X' X(T), where X' C X \JV . The definition lifts to equivalence classes 
[a], [p]: X' ^(•^)/^ of substitutions, where we say that [p] < [a] if and only if 
\xp] < [xa] for all x £ X'. 
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Lemma 4.6. Let N be a saturated constrained clause set and let Ajv he not cov- 
ering. Let V ~ {vi, . . . , Vk\, let a = vi~xi, . . . , be a constraint that contains 
only variables and let Xa — {a;i, . . . ^Xk} be the set of non- existential variables in 
a. Let H ~ {a\\ Ci, . . . , a jj Cn} be a set of constrained clauses containing only 
variables in V U Xa- Furthermore, let pi,p2'- Xa ^ T(J-,X) be substitutions with 

[pi] < [P2]- 

If N \=ind H , then there is a ground substitution a : V T{T) such that 

N |=/nd "O'/02 (-'ClPl V ... V ^CnPl)- 

Proof. Let [o-min]: V T{J-)/ * be minimal with respect to < such that 
N \=ind {o^cTmin ^ C*!: ■ • ■ j cKTm in —* C'n}- Wc will show that CF^-^^ is the wanted 
substitution. 

Let Xp^ be the set of variables in the codomain of p2 and let r: Xp^ ^{^) 
be such that N |=/„d otcfminP2T. Note that this set of ground equations equals 
viUm\n~xip2T, . . . , VkCTmin^Xk P2T bccausc the domains of P2T and (Tmin are disjoint. 
We have to show that N \=ind ^CipiT V ... V ^CnPiT. 

To achieve a more concise representation, we employ the symbols V and 3 on the 
meta level, where they are also used for higher-order quantification. The restriction 
of a substitution a to the set V of existential variables is denoted by o-\v, and 
CTq,: V — » T{X,J-) is the substitution induced by a, i.e. cTq, maps Vi to Xi. 

[Pl] < [P2] 
<^=> WaPl] < WaP2] 

because Xa ^ X 

=^ [{aaPlT)\v] < [{<yaP2T)\v] 

Since N [=ind oi'^m.inP2'T, the latter class equals [cr,nin]- 

=^ N y^Ind {a{OaP\T)\v ^ C\{GaP\T)\v , ■ ■ ■ , a{aaPlT)\v -> C„ (cTaPir) | y } 

because of the minimality of [cTmin] 
=^ 3t'. N \=ind a{aaPiT)\vT' and N y^i^d Cit' A ... A C„r' 

3r'. Vi. N \=ind ViaaPiTK.XiT' and N y^ind Cit' A ... A C„t' 
because r' and {craPiT)\v affect different sides of each equation in a 

=^ 3t'. Vi. N ^ind x^piTKix^r' and N ^/„<i Cit' A ... A C„t' 
=4> It'.Mx G Xa- N |=/„d xpiTKxr' and N |=/„d -.Cir' V ... V ^C„t' 
because Cit' A ... A C„t' is ground 

=^ N |=/nd ^CipiT V ... V ^CnPlT 

because var(Ci) C Xa 
for i e {!,..., fc} and r': X„ ^r(jc-). O 

Usually when we consider sets of constrained clauses, all considered constrained 
clauses arc supposed to have been renamed in advance so that they do not have 
any universal variables in common. We deviate from this habit here by forcing the 
common constraint a ~ vi^xi, . . . , Vk~Xk upon all constrained clauses in H. Note 
that this does not affect the semantics because of the order of existential and uni- 
versal quantifiers. E.g., the constrained clause set {u~x \\ P{x) — >, u^y |j —^ P{y)} 
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has the semantics 3u.\/x,y.{uy&x V -^P{x)) A {u^y V P{y)), which is equivalent to 
the semantics 3u.\/x.{uy&x V -^P{x)) A {u^x V P{x)) of the constrained clause set 
{wwx II P{x) ^, u«x II ^ Pix)}. 

The formula ap2 {^Cipi V ... V ^C„pi) can usually not be written as a single 
equivalent constrained clause if some Ci contains more than one literal. However, 
if Z?i A . . . A Dm is a conjunctive normal form of -iCi V ... V ^Cn, then each Dj is 
a disjunction of literals and so ap2 \\ Djpi is a constrained clause. 

We will now cast these ideas into an inference rule. 

Definition 4.7. The inductive superposition calculus IS(H) with respect to a fi- 
nite constrained clause set H is the union of SFD and the following inference rule: 

— Induction virith respect to H: 

a\\Ci ... a II C„ 
ap2 II Dpi 

where (i) H = {a\\ Ci, . . . , a || C„} (ii) a = vi^ixi, . . . , Vm~Xm is a constraint con- 
taining only equations between variables (and V = {vi, . . . ,Vm}), (hi) all variables 
of the premises occur in a, (iv) pi,p2 : {xi, ■ ■ ■ ,Xra} and [pi] < [^2], 

and (v) D is an element of the conjunctive normal form of -iCi V ... V -iC„. 

Lemma 4.6 ensures that all constrained clauses derived by the induction inference 
rule with respect to H will have a common solution with the initial query H, because 
the preserved solution [(Tmin] is independent of the choices of pi and p2. 

Example 4.8. Let Tnat = {0, s} and Np = {P{s{s{x)))}. All clauses derivable 
by the induction inference rule wrt. Hp = {u^x \\ P{x)} arc of one of the forms 
MWs"+™(0) II P(s"(0)) ^, u«s"+™(0) II P{s"{x)) or w«s"+™(x) || P(s"(.t)) ^ 
for natural numbers n, m with m > 0. All these formulas and the initial constrained 
clause set Hp have in Tnp the common solution {u ^ s(s(0))}. O 

We can thus, to decide the validity of H in Jn, use the induction inference rule 
for H in a theorem proving derivation: 

Theorem 4.9 Soundness of the Induction Rule. Let N be a constrained 
clause set that is saturated with respect to SFD and let be not covering. Let 
V = {vi, . . . ,Vk}, let a = Vi^Xi, . . . ,Vk^Xk be a constraint that contains only 
variables and let Xa = {xi, . . . , Xk} be the set of non- existential variables in a. Let 
H be a finite set of constrained clauses containing only variables in V U Xa ■ 

IfNUH' is derived fromNUH using IS(H), then N |=/„d H <f=^ N |=/„d H' . 

Proof. This follows directly from Proposition 3.15, which implies that the so- 
lutions of H arc not changed by the rules in SFD, and Lemma 4.6, which states 
that minimal solutions arc invariant under the induction inference rule for H . O 

This theorem basically states that the addition of constrained clauses of the 
presented form is a valid step in a \=ind theorem proving derivation that starts 
from N and H and uses the calculus SFD. Before we come to applications of the 
induction rule, let us shortly investigate the side conditions to this rule. Conditions 
(iv) and (v) are direct consequences of the ideas developed at the beginning of this 
section. Conditions (i)-(iii) are needed to guarantee soundness. 
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Example 4.10. Wc present some examples to show how a violation of one of the 
conditions (i)-(iii) makes the induction rule unsound. 

(i) It is important to use the induction rule on the whole query set only (condition 
(i)), because the minimal solution of a subset of the query may not be equal to 
the minimal solution of the whole query. Let us consider the constrained clause 
set A^(i) = P{x), Q{a) Q{b)} over the signature {a, 6} where \b] < [a], 
and the query = {u~x \\ — > P{x), u^x \\ — > Q{x)}. The set A^jj) U is 
satisfiable over {a,b}: just set u i-^ b. Using the induction rule for -ff(i), only 
the redundant constrained clause u~b \\ P{a), Q{a) — > is derivable, namely for 
Pi{x) = b and P2[x) = a. If we apply the induction rule for {u^x \\ — *■ ^"(2;)} 
instead of -ff(i), ignoring condition (i), we can derive the constrained clause 
M«6 II P{a) The combined set A^(i) U U {u^b \\ P{a) is unsatisfiable 
over {a, b}. 

(ii) For an example illustrating the need for condition (ii), consider the constrained 
clause set iV(ii) = {s(0)~0 s{s{x))^x} over the signature J^^at = {s,0}. 
In the minimal model of ./V^;;) , all ground terms representing even numbers are 
equivalent, as are all ground terms representing odd numbers, i.e. there are 
exactly two equivalence classes, [0] and [s(0)]. Let [0] < [s(0)] and consider 
the query ff(ii) = {u^s{x) \\ — > a:«0}. The instantiation u 1— > is a witness 
of the validity of i?(ii) in the minimal model of • However, applying the 
induction rule on ff(ii) in violation of condition (ii) with pi{x) = and ^2(2;) = 
s(0), we can derive u^s{s{0)) \\ OwO The only instantiation validating this 
constrained clause in the minimal model of ./V(iQ is w 1— > 0, i.e. the combined set 

U {w~s(s(0)) II 0~0 is not valid in this model. 

(iii) Now consider the empty theory N^^^i-f = {} over the signature J^nat with [0] < 
[s(0)] < [s(s(0))] < . . . and the query = {u«a; || ywx — > 2/ws(0)}. The 
instantiation u ^ s(0) shows that -ff(iii) is valid in the minimal model T(.Fnat) of 
A'^(iii) . Note that no other instantiation of u can show this. If we ignore condition 
(iii) and apply the induction rule to i?(iii) with pi{x) = x and P2{x) = s{x), we 
can derive up^s{x) \\ yws{0) — >. This constrained clause can only be satisfied in 
the minimal model of iV(iii) by the instantiation u 1— > 0. Since this instantiation 
is not suited for -ff(iii); ^^(iii) U {uks{x) \\ yRis(O) —^} is not valid in the minimal 
model of iV(iii). O 

Some examples will demonstrate the power of the extended calculus 1S(H). In 
these examples, there will always be a unique (non-empty) set H satisfying the side 
conditions of the induction rule, and we will write IS instead of 1S{H). 

The induction rule will often allow to derive an unbounded number of conclu- 
sions. So the application of this rule in all possible ways is clearly unfeasible. It 
seems appropriate to employ it only when a conclusion can directly be used for 
a superposition inference simplifying another constrained clause. We will use this 
heuristic in the examples below. 

Example 4.11. We revisit the partial definition of the usual ordering on the 
naturals given by Nq = G(s(0),0), G{x,y) — > G{s{x), s{y))}, as shown in the 
introduction and in Example 4.3. Again, we want to check whether or not Nq |=j^„j,t 
Vx.G(s(x), x). While the derivation in Example 4.3 diverges, a derivation using IS 
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terminates after only a few steps: 

clauses in Nq: 1 
2 

negated conjecture: 3 
Superposition(l,3) ~ 4 
Superposition(2,3) = 5 
Induction(3) ~ 6 
Superposition(6,5) = 7 

The induction rule was applied using H = {u~x \\ G{s{x),x) -^}, pi{x) ~ z and 
Pi{x) — s{z). At this point, the constrained clauses m«0 || □ and wws(z) || □ have 
been derived. Their constraints are covering for {s, 0}, which means that Nq \=ind 
yx.G{s{x), x). Because of Proposition 4.2, this implies N ^j^„^t yx.G{s{x),x). O 

Example 4.12. A standard example that can be solved by various approaches 
(e.g. [Ganzinger and Stuber 1992; Comon and Nieuwenhuis 2000]) is the theory of 
addition on the natural numbers: — {—^ + y~y, s{x) + ?/!=as(a; + y)}. A 
proof of \=ind Vx.x + 0~x with IS terminates quickly: 

clauses in N+: 1 : 

2 : 

negated conjecture: 3 : u^x 

Superposition(l,3) = 4 : mwO 
Equality Resolution(4) = 5 : mwO 

Superposition(2,3) = 6 : Mws(y) 
Induction(3) = 7 : u^s{z) 

Superposition(7,6) 8 : mws(z) 
Equality Resolution(8) = 9 : u~s{z) 

The induction rule was applied using H — {uk^x \\ x + Op^x —^} , pi{x) = z and 
P2ix) = s{z). At this point, the constrained clauses wwO || □ and wRis(z) || □ 
have been derived. Their constraints cover all constraints of the form wwt, t G 
T{J^n&t, X), which means that ^ind u^x \\x + 0~x i.e. \=ind Vx.x + 
0«x. 

Without the induction rule, the derivation in this example would resemble the 
one in Example 4.3 and diverge. We would thus not even gain information about 
the ^:F„at validity of the query. Here, however, we can again apply Proposition 4.2 
to show additionally that \=j^„^^ \/x.x + Or^x. O 

Along the same lines, we can also prove that addition is symmetric, i.e. \==ind 
Wx, y.x + y~y + x. In this case, we need to apply the induction rule twice to obtain 
the additional clauses 

uf^x, vKis{y') II — ^ X + y'~y' + x 

and 

wvs{x'), v~y II x' + yKy + x' . 

Example 4.13. Given the theory Ne = {-> E{Q), E{x) E{s{s{x)))} of the 
natural numbers together with a predicate describing the even numbers, we show 
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UKX 
UWO 

UKis{z) 

uais(z) 



G{x,y) ^G{s{x),s{y)) 
G{s{x),x) 



□ 



G{s{yly) 



G{s{z),z) 



□ 



+ y^y 

s{x) + yais{x + y) 



X + 0«a; 
0«0 

s(j/ + 0)«s(y) 
s(z)«s(z) 



□ 



z + Qk,z 
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that A''^; y^ind ^x-E{x). A possible derivation runs as follows: 



clauses in Ne'- 


1 
2 






E{x) 


^£;(0) 


negated conjecture: 


3 


MS 


sa; 


1 




Superposition(l,3) = 


4 


US 


sO 




□ 


Superposition(2,3) = 


5 


UK 


as(.s(y)) 






Induction(3) = 


6 


UK 


.s(s(z)) 






Superposition(6,5) = 


7 


UK 






□ 



The induction rule was applied using H = {u~x || E{x) pi{x) = z and P2{x) = 
s{s{z)). The set {(1) — (7)} is saturated with respect to SFD. We could, of course, 
use the induction rule to derive one more non-redundant constrained clause, namely 
u«s(z) II — > E{z). However, this constrained clause cannot be used in any further 
inference. All other constrained clauses derivable by the induction rule are redun- 
dant. 

The derived constrained empty clauses are uwO 1| □ and u~s{s{z)) \\ □. Their 
constraints are not covering: They miss exactly the constraint u«s(0), and in fact 
Ne h/nd E{s{Q)) ^. 

Note that, although also Ne \=^ind E{s{s{s{Q)))) we cannot derive this nor 
any other additional counterexample. This is due to the fact that the application 
of the induction rule preserves only the minimal satisfying constraint. O 

5. CONCLUSION 

We have presented the superposition calculi SFD and SFD+, which are sound and 
refutationally complete for a fixed domain semantics for first-order logic. Compared 
to other approaches in model building over fixed domains, our approach is applicable 
to a larger class of clause sets. We showed that standard first-order and fixed 
domain superposition-based reasoning, respectively, delivers minimal model results 
for some cases. Moreover, we presented a way to prove the validity of minimal model 
properties by use of the calculus IS(7J), combining SFD and a specific induction 
rule. 

The most general inductive theorem proving methods based on saturation so 
far are those by Ganzinger and Stuber [Ganzinger and Stuber 1992] and Comon 
and Nieuwenhuis [Comon and Nieuwenhuis 2000]. Both approaches work only on 
sets of purely universal and universally reductive (Horn) clauses. Given such a 
clause set N and a query Vx.C, Comon and Nieuwenhuis compute a so-called I- 
axiomatization A such that N \=ind A and N iJ A has only one Herbrand model, 
and then check the first-order satisfiability of U A U {C}. Like ours, this method 
is refutationally complete but not terminating. In fact, the clause set A does in 
general not inherit properties of N like universal reductiveness or being Horn, so 
that the saturation of U A U {C} does not necessarily terminate even if U {C} 
belongs to a finitely saturating fragment. Ganzinger and Stuber, on the other hand, 
basically saturate N\J{C}. Even if A^U{C} saturates finitely, this results in a non- 
complete procedure because productive clauses may be derived. They also present 
a way to guarantee completeness by forcing all potentially productive atoms to the 
ground level. This effectively results in an enumeration of ground instances, at the 
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cost that the resulting algorithm almost never terminates. 

We gave an example of a purely universal inductive theorem proving problem 
that can be solved using SFD while neither of the above approaches works (Ex- 
ample 4.4). Additionally, we showed how we can also prove formulas with a V3 
quantifier alternation, i.e. check the validity of V* 3* -quantified formulas. The op- 
posite 3V quantifier alternation or subsequent alternations can currently not be 
tackled by our calculus and are one potential subject for future work. 

Another intensely studied approach to inductive theorem proving is via test 
sets [Kapur et al. 1991; Bouhoula 1997; Bouhoula and Jouannaud 1997]. Test 
sets rely on the existence of a set of constructor symbols that are either free or 
specified by unconditional equations only. Such properties are not needed for the 
applicability of our calculus. However, in order to effectively apply our induction 
rule, we need decidability of the ordering < on Im, i-e. on the T[J-)/ *^ equiva- 
lence classes. The existence of constructor symbols is often useful to estaf)lish this 
property. Examples 4.3 and 4.5 are not solvable via test sets, whereas Example 4.4 
is. 

Finally, works in the tradition of Caferra and Zabel [Caferra and Zabel 1992] or 
Kapur [Kapur et al. 1991; Kapur and Subramaniam 2000; Giesl and Kapur 2003; 
Falkc and Kapur 2006] consider only restricted forms of equality literals and related 
publications by Peltier [Peltier 2003] pose strong restrictions on the clause sets (e.g. 
that they have a unique Herbrand model). 

In summary, our approach does not need many of the prerequisites required 
by previous approaches, like solely universally reductive clauses in TV, solely Horn 
clauses, solely purely universal clauses, solely non-equational clauses, the existence 
and computability of an set making the minimal model the unique Herbrand 
model, or the existence of explicit constructor symbols. Its success is built on a 
superposition-based saturation concept. 

There are several obvious ways in which to extend the presented calculi. In 
analogy to the work of Bachmair and Ganzingcr [Bachmair and Ganzinger 1994], 
it is possible to extend the new superposition calculi by negative literal selection, 
with the restriction that no constraint literals may be selected. This does not 
affect refutational completeness. For universally reductive clause sets iV, it is also 
possible to make the inductive theorem proving calculus IS(i?) (with selection) 
refutationally complete, following the approach of Ganzinger and Stuber [Ganzinger 
and Stuber 1992]. As in their context, this particular superposition strategy carries 
the disadvantage of enumerating all ground instances of all clauses over to our 
setting. So it can hardly be turned into a decision procedure for clause classes 
having infinite Herbrand models. In some cases, the induction rule might constitute 
a remedy: In case we can finitely saturate a clause set iV, the ordering < on its 
minimal model X^r may become effective and hence the induction rule may be 
effectively usable to finitely saturate clause sets that otherwise have an infinite 
saturation. 

Our hope is that the success of the superposition-based saturation approach on 
identifying decidable classes with respect to the classical first-order semantics can 
be extended to some new classes for the fixed domain and minimal model semantics. 
Decidability results for the fixed domain semantics are hard to obtain for infinite 
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Herbrand domains but the problem can now be attacked using the sound and 
rcfutationally complete calculus SFD. This will require in addition the extension of 
the redundancy notion suggested in Section 3 as well as more expressive constraint 
languages. Here, concepts and results from tree automata could play a role. First 
results in this direction have been established [Horbach and Weidenbach 2009b]. 

It also turns out that an extension of the current algorithm can be employed 
to decide the validity of various classes of formulae with a V*3* or 3*V* prefix in 
models that are represented by a conjunction of atoms or by the contexts computed 
in model evolution [Horbach and Weidenbach 2009a] . 
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